Why phishing works: Psychological reasons

One click of a button can cost you an arm and a leg. Not literally, but phishing scams can get pretty ugly. What’s worse is that people continue to fall for them because hackers are only getting better.

How do we deal with the phishing menace? Sadly, it’s a solution technology cannot give. That’s why when it comes to social engineering, we turn to psychology for answers.

Why people fall for phishing scams in short:

  • They’re urgent and make us act fast.
  • They look legitimate.
  • They prey on our weak spots.

    Our weakest emotional points in phishing

    Phishing exploits our psychology. If we look at studies, people most often fall for phishing scams that use urgency, uncertainty, and authority¹.

    Sense of urgency makes us react without thinking

    Emails and subject lines that sound urgent are a hacker’s bread and butter. It’s one of the most common ways you can expect to meet a scammer²

    The idea is to sprawl someone into a corner where they feel like there’s not enough time to make a decision. Naturally, they act quickly. This can lead to clicking on malware-ridden links or giving away personal information on malicious websites.

    Threat actors often use this tactic when spear phishing. They can pretend to be a vendor, someone’s boss (Business Email Compromise), or a service provider. 

    Urgent spear phishing emails have a much higher success rate than spam tactics because they’re crafted for each individual.

    Uncertainty induces anxiety and makes us less perceptive to phishing

    Unsettled times are always scary for some but opportune for others. 

    With COVID-19, the number of average daily emails people received grew, followed by the number of phishing attempts³. This allowed hackers to carry out Coronavirus-related phishing scams. 

    It was everywhere. Hackers posed as institutions like CDC (Center of Disease Control)⁴ or the FCC (Federal Communication Commission) trying to extract people’s personal information. And it worked.  

    Fear influences our decision-making but not in a way you’d think. It actually makes people more sensitive towards risk because you become alert.

    Logically, this should make people more careful when it comes to phishing attempts (and it does if you’re cautious and informed about phishing itself³).

    But the problem that arose during the pandemic was very human. Amid the COVID-19 confusion, people didn’t think about phishing. Instead, they thought about the virus. And in the end, it was a great distraction for hackers that allowed them to bloat their purses leveraging people’s fear.

    Authority can make us blind to phishing attempts

    We often view emails or phone calls from authoritative figures as more legit. For this reason, scammers love to pose as people’s bosses or institutions.

    Assuming saves us time. If we receive emails from authoritative figures, we rarely question their contents because most workplaces are hierarchies.

    Hackers use this approach to make their phishing attacks more legitimate and spicy. 

    These scams work because it is easier to follow orders without questioning them. In other cases, the phishing email might be crafted to blend into your workflow. This is especially dangerous if you receive hundreds of them a day.

    Why some people fall for phishing, but others don’t

    Why some people fall for phishing, but others don’t

    Sense of urgency, uncertainty, and authority are merely strategies that make us tick. But they don’t explain why some people fall for them while others don’t.

    According to studies, certain Big Five personality traits⁷ impact how likely people are to fall for phishing. Here’s how:

    1. Conscientious (organized, productive, responsible) people are less likely to fall for phishing attacks⁸.
    2. People with higher neuroticism (prone to anxiety and depression) fall for phishing scams more often⁸,⁹.

    These points bring me back to our discussion about uncertainty. After all, it is often difficult to distinguish anxiety from fear. Both can make us act without thinking, and in this case – take the bait and fall for the scam.

    On the other hand, organized and responsible people are better at spotting phishing. Education and training to deal with phishing is the right, if not the only way to stop social engineering.

    Confidence can be your phishing downfall

    Confidence can be your phishing downfall

    In cybersecurity, we are often our own worst enemies.

    People often overestimate their abilities to deal with cyberthreats, studies found⁸,¹⁰ Many believe that they would fall for phishing less than their colleagues. 

    The authors of the studies called this overconfidence. They also said that people often believe they are in control of the situation when they are clearly not.

    These findings are suggestive, to say the least. A different study¹¹ showed that people between the ages of 18-25 were more susceptible to phishing. Why is that? Well, it’s no secret that people overestimate themselves more the younger they are.

    In fact, people learn to be more careful and self-aware with more life experience.

    People who are more suspicious are better at spotting phishing scams¹². It’s simple, really, if you ask for more information about the requests you receive, you are less likely to get scammed. 

    Suspicion is usually something people learn the hard way by making honest mistakes. 

    Knowledge is the answer to stop phishing, but…

    Knowledge and training about phishing are the only strategies that work against social engineering.

    But the approach is not faultless. The problem with using this knowledge against phishing scams is that it’s hard to carry over:

    • We can get stuck in our own bubble. Being an expert in one area, doesn’t mean you’ll do similarly well in a different field¹³. For example, knowing about cybersecurity doesn’t mean you’ll be careful against phishing.
    • Our knowledge does not move into other scam areas¹⁵. Some people may be good at identifying financial scams but not identity theft, or vice versa.
    • Being more adept with computer technology does not reduce phishing risks⁸. Higher CMC (Computer-mediated communication competence) or using the internet more often did not show lower phishing risks.

    The knowledge that reduces phishing risks needs to be specifically about phishing. This is what makes phishing so difficult to tackle. It becomes a bigger challenge to companies and a fatter payout to hackers.

    Tackling phishing with psychology

    Tackling phishing with psychology

    Now that we understand how phishing makes us tick, what can we do about it? 

    To prevent the most common phishing strategies, keep an eye out for:

    • Urgency. Carefully read emails and messages with urgent subject lines or timers.
    • Authority. If you receive odd requests from your boss or manager, don’t be afraid to double-check. Better be safe than sorry!
    • Uncertainty. Keep in mind that scammers thrive when other people are scared. Be extra cautious during times of distress like COVID!

    Awareness and due diligence are the only strategies proven to work against phishing. And so it’s up to education to save us from being owned by scams. 

    For workplace management and education, consider the following:

    • Expose people’s overconfidence. Running mock phishing attacks to expose people to phishing is the best way to keep them sharp and show them that they need education!
    • Target specific attack vectors. Since phishing knowledge doesn’t transfer well, provide in-depth training on different kinds of social engineering.
    • Create an anxiety-free environment. Anxiety is bad for many reasons and phishing susceptibility is one of them. For people to be focused and careful, their workplace should not provide extra stress.

    At the end of the day, only you can prevent phishing scams. And that goes for most security areas that require human interaction.